ansible/library/postgresql_user

#!/usr/bin/python
# -*- coding: utf-8 -*-

# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.

try:
    import psycopg2
except ImportError:
    postgresqldb_found = False
else:
    postgresqldb_found = True

# ===========================================
# PostgreSQL module specific support methods.
#


def user_exists(cursor, user):
    query = "SELECT rolname FROM pg_roles WHERE rolname=%(user)s"
    cursor.execute(query, {'user': user})
    return cursor.rowcount > 0


def user_add(cursor, user, password, db):
    """Create a new user with write access to the database"""
    query = "CREATE USER %(user)s with PASSWORD '%(password)s'"
    cursor.execute(query % {"user": user, "password": password})
    grant_privileges(cursor, user, db)
    return True


def has_privileges(cursor, user, db):
    """Check if the user has create privileges on the database"""
    query = "SELECT has_database_privilege(%(user)s, %(db)s, 'CREATE')"
    cursor.execute(query, {'user': user, 'db': db})
    return cursor.fetchone()[0]


def grant_privileges(cursor, user, db):
    """Grant all privileges on the database"""
    query = "GRANT ALL PRIVILEGES ON DATABASE %(db)s TO %(user)s"
    cursor.execute(query % {'user': user, 'db': db})


def revoke_privileges(cursor, user, db):
    """Revoke all privileges on the database"""
    query = "REVOKE ALL PRIVILEGES ON DATABASE %(db)s FROM %(user)s"
    cursor.execute(query % {'user': user, 'db': db})


def user_mod(cursor, user, password, db):
    """Update password and permissions"""
    changed = False

    # Handle passwords.
    if password is not None:
        select = "SELECT rolpassword FROM pg_authid where rolname=%(user)s"
        cursor.execute(select, {"user": user})
        current_pass_hash = cursor.fetchone()[0]
        # Not sure how to hash the new password, so we just initiate the
        # change and check if the hash changed
        alter = "ALTER USER %(user)s WITH PASSWORD '%(password)s'"
        cursor.execute(alter % {"user": user, "password": password})
        cursor.execute(select, {"user": user})
        new_pass_hash = cursor.fetchone()[0]
        if current_pass_hash != new_pass_hash:
            changed = True

    # Handle privileges.
    # For now, we just check if the user has access to the database
    if not has_privileges(cursor, user, db):
        grant_privileges(cursor, user, db)
        changed = True

    return changed


def user_delete(cursor, user, db):
    """Delete a user, first revoking privileges"""
    revoke_privileges(cursor, user, db)
    cursor.execute("DROP USER %(user)s" % {'user': user})
    return True


# ===========================================
# Module execution.
#


def main():
    module = AnsibleModule(
        argument_spec=dict(
            login_user=dict(default="postgres"),
            login_password=dict(default=""),
            login_host=dict(default=""),
            user=dict(required=True, aliases=['name']),
            password=dict(default=None),
            state=dict(default="present", choices=["absent", "present"]),
            db=dict(required=True),
        )
    )
    user = module.params["user"]
    password = module.params["password"]
    state = module.params["state"]
    db = module.params["db"]

    if not postgresqldb_found:
        module.fail_json(msg="the python psycopg2 module is required")

    try:
        db_connection = psycopg2.connect(host=module.params["login_host"],
                                         user=module.params["login_user"],
                                         password=module.params["login_password"],
                                         database=db)
        cursor = db_connection.cursor()
    except Exception as e:
        module.fail_json(msg="unable to connect to database: %s" % e)

    if state == "present":
        if user_exists(cursor, user):
            changed = user_mod(cursor, user, password, db)
        else:
            if password is None:
                msg = "password parameter required when adding a user"
                module.fail_json(msg=msg)
            changed = user_add(cursor, user, password, db)

    elif state == "absent":
        if user_exists(cursor, user):
            changed = user_delete(cursor, user, db)
        else:
            changed = False
    # Commit the database changes
    db_connection.commit()
    module.exit_json(changed=changed, user=user)

# this is magic, see lib/ansible/module_common.py
#<<INCLUDE_ANSIBLE_MODULE_COMMON>>
main()
Add postgresql_db and postgresql_user module. These modules are based on the mysql_db and mysql_user modules. Currently, the postgresql_user module can only grant all permissions on a database, fine-grained access has not been implemented yet. 2012-07-26 17:02:28 +02:00			`#!/usr/bin/python`
Add encoding lines to python modules such that they can take unicode options if they are fed them, since the AnsibleModule stuff no longer base64 encodes for simplicity and speed reasons. 2012-08-03 03:29:10 +02:00			`# -- coding: utf-8 --`
Add postgresql_db and postgresql_user module. These modules are based on the mysql_db and mysql_user modules. Currently, the postgresql_user module can only grant all permissions on a database, fine-grained access has not been implemented yet. 2012-07-26 17:02:28 +02:00
			`# This file is part of Ansible`
			`#`
			`# Ansible is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# Ansible is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with Ansible. If not, see <http://www.gnu.org/licenses/>.`

			`try:`
			`import psycopg2`
			`except ImportError:`
			`postgresqldb_found = False`
			`else:`
			`postgresqldb_found = True`

			`# ===========================================`
			`# PostgreSQL module specific support methods.`
			`#`


			`def user_exists(cursor, user):`
			`query = "SELECT rolname FROM pg_roles WHERE rolname=%(user)s"`
			`cursor.execute(query, {'user': user})`
			`return cursor.rowcount > 0`


Use standard argument names in PostgreSQL modules passwd -> password loginpass -> login_password loginuser -> login_user loginhost -> login_host Add an example playbook that shows how to use the modules. 2012-07-29 18:47:44 +02:00			`def user_add(cursor, user, password, db):`
Add postgresql_db and postgresql_user module. These modules are based on the mysql_db and mysql_user modules. Currently, the postgresql_user module can only grant all permissions on a database, fine-grained access has not been implemented yet. 2012-07-26 17:02:28 +02:00			`"""Create a new user with write access to the database"""`
Use standard argument names in PostgreSQL modules passwd -> password loginpass -> login_password loginuser -> login_user loginhost -> login_host Add an example playbook that shows how to use the modules. 2012-07-29 18:47:44 +02:00			`query = "CREATE USER %(user)s with PASSWORD '%(password)s'"`
			`cursor.execute(query % {"user": user, "password": password})`
Add postgresql_db and postgresql_user module. These modules are based on the mysql_db and mysql_user modules. Currently, the postgresql_user module can only grant all permissions on a database, fine-grained access has not been implemented yet. 2012-07-26 17:02:28 +02:00			`grant_privileges(cursor, user, db)`
			`return True`


			`def has_privileges(cursor, user, db):`
			`"""Check if the user has create privileges on the database"""`
			`query = "SELECT has_database_privilege(%(user)s, %(db)s, 'CREATE')"`
			`cursor.execute(query, {'user': user, 'db': db})`
			`return cursor.fetchone()[0]`


			`def grant_privileges(cursor, user, db):`
			`"""Grant all privileges on the database"""`
			`query = "GRANT ALL PRIVILEGES ON DATABASE %(db)s TO %(user)s"`
			`cursor.execute(query % {'user': user, 'db': db})`


			`def revoke_privileges(cursor, user, db):`
			`"""Revoke all privileges on the database"""`
			`query = "REVOKE ALL PRIVILEGES ON DATABASE %(db)s FROM %(user)s"`
			`cursor.execute(query % {'user': user, 'db': db})`


Use standard argument names in PostgreSQL modules passwd -> password loginpass -> login_password loginuser -> login_user loginhost -> login_host Add an example playbook that shows how to use the modules. 2012-07-29 18:47:44 +02:00			`def user_mod(cursor, user, password, db):`
Add postgresql_db and postgresql_user module. These modules are based on the mysql_db and mysql_user modules. Currently, the postgresql_user module can only grant all permissions on a database, fine-grained access has not been implemented yet. 2012-07-26 17:02:28 +02:00			`"""Update password and permissions"""`
			`changed = False`

			`# Handle passwords.`
Use standard argument names in PostgreSQL modules passwd -> password loginpass -> login_password loginuser -> login_user loginhost -> login_host Add an example playbook that shows how to use the modules. 2012-07-29 18:47:44 +02:00			`if password is not None:`
Add postgresql_db and postgresql_user module. These modules are based on the mysql_db and mysql_user modules. Currently, the postgresql_user module can only grant all permissions on a database, fine-grained access has not been implemented yet. 2012-07-26 17:02:28 +02:00			`select = "SELECT rolpassword FROM pg_authid where rolname=%(user)s"`
			`cursor.execute(select, {"user": user})`
			`current_pass_hash = cursor.fetchone()[0]`
			`# Not sure how to hash the new password, so we just initiate the`
			`# change and check if the hash changed`
Use standard argument names in PostgreSQL modules passwd -> password loginpass -> login_password loginuser -> login_user loginhost -> login_host Add an example playbook that shows how to use the modules. 2012-07-29 18:47:44 +02:00			`alter = "ALTER USER %(user)s WITH PASSWORD '%(password)s'"`
			`cursor.execute(alter % {"user": user, "password": password})`
Add postgresql_db and postgresql_user module. These modules are based on the mysql_db and mysql_user modules. Currently, the postgresql_user module can only grant all permissions on a database, fine-grained access has not been implemented yet. 2012-07-26 17:02:28 +02:00			`cursor.execute(select, {"user": user})`
			`new_pass_hash = cursor.fetchone()[0]`
			`if current_pass_hash != new_pass_hash:`
			`changed = True`

			`# Handle privileges.`
			`# For now, we just check if the user has access to the database`
			`if not has_privileges(cursor, user, db):`
			`grant_privileges(cursor, user, db)`
			`changed = True`

			`return changed`


			`def user_delete(cursor, user, db):`
			`"""Delete a user, first revoking privileges"""`
			`revoke_privileges(cursor, user, db)`
			`cursor.execute("DROP USER %(user)s" % {'user': user})`
			`return True`



			`# ===========================================`
			`# Module execution.`
			`#`


			`def main():`
			`module = AnsibleModule(`
			`argument_spec=dict(`
Use standard argument names in PostgreSQL modules passwd -> password loginpass -> login_password loginuser -> login_user loginhost -> login_host Add an example playbook that shows how to use the modules. 2012-07-29 18:47:44 +02:00			`login_user=dict(default="postgres"),`
			`login_password=dict(default=""),`
			`login_host=dict(default=""),`
Module consistency and make daisy chaining work with invalid arguments detection. 2012-08-01 06:21:36 +02:00			`user=dict(required=True, aliases=['name']),`
Use standard argument names in PostgreSQL modules passwd -> password loginpass -> login_password loginuser -> login_user loginhost -> login_host Add an example playbook that shows how to use the modules. 2012-07-29 18:47:44 +02:00			`password=dict(default=None),`
Add postgresql_db and postgresql_user module. These modules are based on the mysql_db and mysql_user modules. Currently, the postgresql_user module can only grant all permissions on a database, fine-grained access has not been implemented yet. 2012-07-26 17:02:28 +02:00			`state=dict(default="present", choices=["absent", "present"]),`
			`db=dict(required=True),`
			`)`
			`)`
			`user = module.params["user"]`
Use standard argument names in PostgreSQL modules passwd -> password loginpass -> login_password loginuser -> login_user loginhost -> login_host Add an example playbook that shows how to use the modules. 2012-07-29 18:47:44 +02:00			`password = module.params["password"]`
Add postgresql_db and postgresql_user module. These modules are based on the mysql_db and mysql_user modules. Currently, the postgresql_user module can only grant all permissions on a database, fine-grained access has not been implemented yet. 2012-07-26 17:02:28 +02:00			`state = module.params["state"]`
			`db = module.params["db"]`

			`if not postgresqldb_found:`
			`module.fail_json(msg="the python psycopg2 module is required")`

			`try:`
Use standard argument names in PostgreSQL modules passwd -> password loginpass -> login_password loginuser -> login_user loginhost -> login_host Add an example playbook that shows how to use the modules. 2012-07-29 18:47:44 +02:00			`db_connection = psycopg2.connect(host=module.params["login_host"],`
			`user=module.params["login_user"],`
			`password=module.params["login_password"],`
Add postgresql_db and postgresql_user module. These modules are based on the mysql_db and mysql_user modules. Currently, the postgresql_user module can only grant all permissions on a database, fine-grained access has not been implemented yet. 2012-07-26 17:02:28 +02:00			`database=db)`
			`cursor = db_connection.cursor()`
			`except Exception as e:`
			`module.fail_json(msg="unable to connect to database: %s" % e)`

			`if state == "present":`
			`if user_exists(cursor, user):`
Use standard argument names in PostgreSQL modules passwd -> password loginpass -> login_password loginuser -> login_user loginhost -> login_host Add an example playbook that shows how to use the modules. 2012-07-29 18:47:44 +02:00			`changed = user_mod(cursor, user, password, db)`
Add postgresql_db and postgresql_user module. These modules are based on the mysql_db and mysql_user modules. Currently, the postgresql_user module can only grant all permissions on a database, fine-grained access has not been implemented yet. 2012-07-26 17:02:28 +02:00			`else:`
Use standard argument names in PostgreSQL modules passwd -> password loginpass -> login_password loginuser -> login_user loginhost -> login_host Add an example playbook that shows how to use the modules. 2012-07-29 18:47:44 +02:00			`if password is None:`
			`msg = "password parameter required when adding a user"`
Add postgresql_db and postgresql_user module. These modules are based on the mysql_db and mysql_user modules. Currently, the postgresql_user module can only grant all permissions on a database, fine-grained access has not been implemented yet. 2012-07-26 17:02:28 +02:00			`module.fail_json(msg=msg)`
Use standard argument names in PostgreSQL modules passwd -> password loginpass -> login_password loginuser -> login_user loginhost -> login_host Add an example playbook that shows how to use the modules. 2012-07-29 18:47:44 +02:00			`changed = user_add(cursor, user, password, db)`
Add postgresql_db and postgresql_user module. These modules are based on the mysql_db and mysql_user modules. Currently, the postgresql_user module can only grant all permissions on a database, fine-grained access has not been implemented yet. 2012-07-26 17:02:28 +02:00
			`elif state == "absent":`
			`if user_exists(cursor, user):`
			`changed = user_delete(cursor, user, db)`
			`else:`
			`changed = False`
			`# Commit the database changes`
			`db_connection.commit()`
			`module.exit_json(changed=changed, user=user)`

			`# this is magic, see lib/ansible/module_common.py`
			`#<<INCLUDE_ANSIBLE_MODULE_COMMON>>`
			`main()`